Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚧 fix(feat): DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS #1790

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🚧 fix(feat): DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS #1790

wants to merge 1 commit into from

Conversation

lamcodeofpwnosec
Copy link

What changed? Why?
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

PoC
Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

'use strict';

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
	getResolveUrl(
		`'${escapeId(relativePath)}', ${
			umd ? `typeof document === 'undefined' ? location.href : ` : ''
		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
	);

WeaknessCWE-79

@vercel Vercel
Copy link

vercel bot commented Dec 24, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
onchainkit-coverage ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 24, 2024 6:09pm
onchainkit-routes ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 24, 2024 6:09pm

@vercel Vercel
Copy link

vercel bot commented Dec 24, 2024

@lamcodeofpwnosec is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lamcodeofpwnosec